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Disclaimer 

During the course of this research, a number of publicly accessible hosts, devices and 
domains were analysed and tested. This only represents a sample size and helps us create 
a bigger picture of the condition of Nepali cyberspace, and as such we cannot guarantee 
that our tests and report have encompassed all existing devices in Nepal, both publicly 
accessible or otherwise. We encourage every security researcher to notify the respective 
party regarding any security vulnerability they come across, to foster a culture of 
responsible disclosure and to create a cyber secure Nepal. 

All information included in this document are intended for creating awareness regarding 
security issues rather than to encourage exploitation of the discovered shortcomings. 
Threat Nix is not liable for any misuse of information provided in this report which may 
or may not allow unauthorized access to systems. 
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Foreword 

This report is a solemn attempt to assess the security of Nepali cyberspace and assist in 
strengthening it. Our effort in preparing this report was exerted with the determination 
to make Nepal and its cyberspace resilient to all kinds of threats. In this age of cyber 
warfare, we cannot ignore the possibility of any large scale cyber-attacks, state sponsored 
or otherwise, that may cripple our cyber infrastructure. During our research, we have 
scanned the devices and websites in Nepal for any kind of misconfigurations that may be 
used to exploit them. Furthermore, we have assessed many public data repositories which 
contain confidential citizen data for any potential data leakage. 

It is no secret that the security posture of Nepali cyberworld is not up to the mark. 
Constant defacement of both private and public Nepali domains, the large scale financial 
attacks and cyber heist are all consequences of a weak security posture that are publicly 
visible. But, these are only a minute part of the overall security statistics. Many poor 
configurations that result in these visible impacts go unnoticed until it leads to worst 
outcome. We consider that most of these security issues stem from lack of awareness 
regarding computer security. This report is an initiative to make people aware about 
computer security in order to establish a strong security posture in Nepal. 

While this report does paint a rather pitiful picture of the security status of Nepali 
cyberspace, we were happy to observe some improvement as well. At the initial phase of 
our research, we were hoping to find much more bleak state of security but were positively 
surprised. This positive trend excites us, and we hope that it will increase in pace to soon 
establish a strong and cyber secure Nepal. And we genuinely hope that this report can be 
a strong force to push such a positive trend even further. 
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Introduction 

2017 was apparently a year with astonishing and sophisticated cyber-attacks for Nepal, 
which includes multi-million rupees virtual bank heist and crypto jacking where attackers 
hijacked popular websites with the intent to mine cryptocurrencies. Nepal's cyberspace 
oversaw sophisticated and sustained international cyber adversaries with intent to cause 
financial distress. Prominent incidents of cybercrime exemplified that cyber threat is 
propagating evidently in Nepal and is seen as lucrative target by international cyber 
criminals. The outreach and diversity of cyber-attacks are expanding, and their operations 
against both government and private entities are persistently evolving with marked 
modern innovation. 

Publicly revealed incidents are Just the tip of the iceberg. ThreatNix has prepared this 
report to paint a bigger and precise picture of cyber threats with intent to understand our 
current posture of cyber security and hence use it to establish a strong security baseline 
to stop opportunistic malicious adversaries. Through this report, we look forward to 
assisting in the attainment of a more cyber secure Nepal. 
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About us 

ThreatNix is a tight knit group of experienced security professionals who are committed 
to providing competent cybersecurity solutions that adhere to international standards. 
Our team of security experts deliver unbiased guidance and solutions before attacks 
become disruptions and financial hardships. We pride ourselves in providing the level of 
expertise that not only will help organizations identify vulnerabilities and areas of 
improvement but will also guide them on best practices to correct those vulnerabilities. 

Our mission is to bring a paradigm shift in how cybersecurity is strategically and 
holistically addressed for organizations around the world. We strive to focus all our 
collective efforts on one single thing - be the first choice for all your cybersecurity needs. 
We intend to build a global culture of defending against cybercrime and are confident 
that our dedication towards it will drive the solutions which will ultimately provide state- 
of-the-art security for our clients. 
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Top Cyber Security Incidents in Nepal (2017) 

Website of Department of Passport Hacked 

The official website of Department of Passport was reportedly hacked and defaced on 
June 27, 2017 by a group of Turkish Hackers. The website was defaced with a note 
threatening to reveal the government's data if the government did not pay attention to 
the hackers' demand. 

Source: http://www.myrepublica.com/news/24383/7categoryld=81 

NIC Asia Bank Heist 

On October 23, 2017, the SWIFT system of NIC Asia Bank was reportedly hacked by 
unidentified hackers. The hackers initiated a $4.4 million in fraudulent money transfers 
from its account to six different countries. The bank was successful in recovering $3.9 
million after discovering suspicious transaction. 

Source: https://www.bankinfosecurity.com/report-attackers-hacked-nepalese-banks- 

swift-server-a-10437 

58 Government Websites Hacked 

On July 25, 2017, 58 government websites were reportedly hacked by a group called 
'Paradox Cyber Ghost'. Although the hackers group claimed it to be just a test, this was 
one of the biggest breaches of all times in Nepal. 

Source: http://kathmandupost.ekantipur.eom/news/2017-07-25/58-govt-websites- 

hacked-to-test-vulnerability.html 

OnlineKhabar Found Using Cryptominer 

On November 28, 2017, OnlineKhabar, one of the popular online news portal of Nepal, 
was found to be using JavaScript mining application which uses the computer of anybody 
accessing the website to mine cryptocurrency called Monero. Later the mining script was 
removed and OnlineKhabar issued a press release attributing the activity to third party 
malicious attackers on November 29. 

Sources: https://threatnix.io/blog/monero-mined-from-onlinekhabar/ 
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Top Cyber Security Incidents Worldwide (2017) 

Ransomware 

WannaCry 

WannaCry ransomware spanned more than 150 countries and hit more than 300,000 
machines worldwide by leveraging some of the leaked NSA exploits. The hackers behind 
this ransomware targeted computers running Microsoft Windows OS by encrypting the 
data and demanded money to unlock files. 

Petya 

Similar to WannaCry, Petya uses the EternalBlue exploit as one of the means to propagate 
itself. In addition, it also uses classic SMB network spreading techniques, meaning that it 
can spread within organizations network, even if they are patched against EternalBlue. 

NotPetya 

In June 2017, NotPetya targeted Ukrainian businesses and spread to major global 
businesses including FedEx, British advertising agency WPP, Russian oil and gas giant 
Rosneft, and Danish shipping firm Maersk. NotPetya was also using an exploit leaked by 
Shadow Brokers. In September, FedEx attributed a $300 million loss to the attack. 

Bad Rabbit 

Bad Rabbit, affected Russia, Ukraine, Turkey and Germany by posing as an Adobe Flash 
installer on news and media websites that hackers had compromised. 

Cloudbleed 

On February 17, 2017, Tavis Ormandy from Google Project Zero reported a vulnerability 
to Cloudflare, a company which offers performance and security services to about six 
million customers websites. The vulnerability affecting Cloudflare's reverse proxies 
resulted in 3,400 websites leaking private data that came from other Cloudflare clients. 
What made this issue worse was the fact that search engines were caching that sensitive 
information. 

KRACK 

Belgian researchers Mathy Vanhoef and Frank Piessens published details about a flaw in 
WPA2's cryptographic protocols in October 2017 which could be exploited to read and 
steal data from WPA2 Wi-Fi network. All implementations of WPA2 are said to be affected. 
Likewise, Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are 
all affected by some variant of the attack. 
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Bitcoin Exchanges & ICOs Breaches 

With price of cryptocurrencies skyrocketing, it is no surprise that the bitcoin exchanges 
and Initial coin offering (ICO) are one of the prime target for attackers. 

On July 2017, cryptocurrency wallet provider Parity which aimed to provide lightest, 
fastest and most secure Ethereum client was hacked due to a bug in its multi-signature 
wallets resulting in at least 150,000 ethers stolen from user accounts. 

On July 2017, website of Coindash which was offering initial coins was hacked. Coindash 
was running an ICO, when attackers changed the Ethereum address that was being used 
to raise funds with the Ethereum address that belonged to the attackers. Hackers were 
able to collect $7 million in Ethereum with this heist. 

On July 2017, attackers stole and used credentials of Guy Zyskind, the CEO of the 
company, to infiltrate into Enigma ICO's website. Slack group and email list. The attacker 
then sent messages to all the subscribers asking for funds, before the actual ICO funding 
had started. The attackers were able to collect roughly $500,000 in Ethereum. 

On December 6, 2017, Slovenian based mining company NiceHash was hacked and total 
of 4700 BTC was stolen using highly sophisticated social engineering attack. 

Data Breaches 

On April 15, a hacking group known as "Shadow Brokers" released a trove of alleged NSA 
data, detailing exploits and vulnerabilities in range of technologies. The exploits were then 
used in several ransomware attacks throughout the year. 

On June 12, 2017, personal information of nearly 200 million U.S. voters was discovered 
in an unsecured cloud server operated by the political data firm Deep Root Analytics. 

In July, HBO confirmed that its computer systems had been breached, resulting in 
compromise of "proprietary information." Behzad Mesh was charged with hacking HBO's 
computer servers, stealing proprietary data, including information about then-unreleased 
episodes of Game of Thrones, and then threatening to release the data unless he was paid 
$6 million. 

On July 29, 2017 Credit reporting agency Equifax faced a severe security issue because of 
its outdated portal's application framework, which resulted in massive data breach 
affecting 145.5 million US consumers. 
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Statistics of A grade Banks & Online Payment 
Systems 

Banking Institutions and Payment Service Providers play an important role in overall 
economy of the country. Although these organizations claimed to have performed 
security audit in prior days, a quick surface analysis of web applications of these 
organizations revealed that most of them still lack basic security practices. 

After analyzing 27 e-banking sites of A-grade banks and 4 Payment Service Providers, we 
were astounded that 13 of these applications were vulnerable to Clickjacking. Clickjacking 
is a malicious technique of tricking a Web user into clicking on something different from 
what the user perceives they are clicking on. Though, most of the actions in e-banking 
applications are protected by secondary password, we should not deny the fact that not 
all actions require secondary password. This, in certain circumstances, may allow a 
malicious user to steal funds from victim's account. 

4 out of 27 e-banking sites were vulnerable to POODLE. POODLE allows a user to decrypt 
encrypted data given she can control the Internet connection between your browser and 
the server and can run some code in your browser. 

Out of 27 e-banking sites and 4 Online Payment Systems, 1 application has a major 
security flaw that allows an attacker to steal funds from any logged in victim. 

We also analysed the main site of these organizations and discovered that 1 application 
was revealing "phpinfo" and other 1 application had CRLF injection vulnerability. 

14 

12 

10 

8 

s 

^ 6 
4 

2 

0 


Figure 1: Statistics of A grade banks Si Payment Service Providers 
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Cryptojacking 

Cryptojacking is a form of cryptomining - the production of cryptocurrency using 
computer technology. Cryptojacking, in short, is the secret use of computer resources to 
mine cryptocurrencies where secret use refers to use of others' computing devices without 
their consent or knowledge. Cryptojacking has been around for quite some time now. 
What's new is the use of browsers which have become very powerful as they keep evolving 
with rich sets of capabilities. The so called in-browser cryptojacking came into light when 
Showtime was reportedly found using an online cryptominer; coinhive, back in September 
2017. Browser based cryptominers like coinhive work by embedding JavaScript in a 
website that leverages visiting devices' processing power to mine cryptocurrencies. 
Thereafter, a subtle rise in use of coinhive was found in popular sites like The Pirates Bay 
and even YouTube. 

This, as no surprise, also made an appearance in Nepali cyberspace as OnlineKhabar was 
detected using coinhive on Nov 28, 2017. Days after that, another online news portal, 
BarhaKhari was also found doing the same. 

We ran a series of scans against all .np domains collected earlier to detect cryptojacking. 
We searched for all coinhive like online cryptominers that have been present in the market 
and ran a test with our sets of data. Out of 11785 unique domains, we found 9 of them 
using coinhive directly on their homepage. The following represents the number of TLDs 
involved in cryptomining: 



■ .coin.np 

■ .edu.rp 

■ -org.rp 

■ .info.np 


Figure 2: Number of TLDs involved in cryptomining 
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Vulnerable Devices 

WannaCry: EternalBlue 

The WannaCry ransomware, exploiting EternalBlue from NSA leaks, took the world by 
storm on May 2017. The ransomware targeted computers running Microsoft Windows 
operating system to encrypt data and demanded ransom payments in Bitcoin. It 
propagated through EternalBlue, an exploit in older Windows systems released by The 
Shadow Brokers a few months prior to the attack. While Microsoft had already released 
patches to address the vulnerability, WannaCry affected organisations which had not 
applied these patches or were using older Windows systems past their end-of-life. 
WannaCry also took advantage of installing backdoors into infected systems. 

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack 

A quick Shodan search for SMB enabled devices revealed a total of 82 devices in Nepal. 4 
of these devices were found vulnerable to EternalBlue and 54 were not vulnerable while 
24 devices were throwing communication exception during the test. 



Figure 3: Statistics of WannaCry vulnerable devices 
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HeartBleed 

HeartBleed is a well-known vulnerability in the OpenSSL implementation of SSL/TLS which 
allows anyone on the Internet to read the memory of systems protected by vulnerable 
versions of the OpenSSL software. This vulnerability leads to leaking of memory contents 
which includes but is not limited to, encryption keys, users' credentials, and actual data 
content. While this vulnerability was discovered in 2014 and the patches were made 
available, it can still be persistently found on the Internet. We found several such instances 
of vulnerable hosts in Nepal as well. These hosts belonged to different organizations and 
their infrastructures, ranging from critical government infrastructures to ISPs' websites. In 
the figure below, the vulnerable websites are categorized based on the organizations that 
host them. 


WebSurfer 

40 % 

Classic Tech 
40 % 

NREN 

40 % 

Dataspace 

40 % 

Access World 
40 % 

Vianet 

40 % 

NITC 

8 . 0 % 


WorldLink 

12 . 0 % 



Subisu 

36 . 0 % 


Nepal Teleconn 
20 . 0 % 


Figure 4: HeartBleed vulnerable sites based on hosting organizations 
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Hacked Websites & Network Devices 

Websites being hacked, and their content being replaced with some arbitrary content as 
desired by an attacker is called Defacing. 

Defaced Websites 

While trying to determine the prevalence of act of defacement in Nepal, we conducted a 
research based on defaced Nepali websites with the help of "Zone-H". "Zone-H" is an 
archive of defaced websites, once a defaced website is submitted to Zone-H, it is mirrored 
on the Zone-H servers, which is moderated by the Zone-H staff to verify the credibility of 
defacement. 

We found out that a total of 756 ".np" websites were defaced in 2017 alone. Out of which, 
332 were commercial websites (.com.np), 160 were government websites (.gov.np), 133 
were websites of educational institution (.edu.np), 123 were organizational websites 
registered in Nepal (.org.np), 4 were network operator websites (.net.np) and remaining 4 
were co-operative websites (.coop.np). 
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Figure 5: Number of websites hacked categorized by TLDs 
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Mass Defacement 
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Figure 6: Number of TLDs found in Mass Defacement 

While researching about mass defacement of Nepali websites, through "Zone-H", we 
observed that 595 websites had been victim of mass defacement in 2017. Out of 595 
websites, 273 were commercial websites (.com.np), 126 government websites (.gov.np), 
98 organizational websites (.org.np), 89 educational websites (.edu.np), and 4 network 
operator websites (.net.np). The rest of the defaced websites were '.pro.np', 
'.accountants.np', '.bio.np', '.diamonds.np' and '.name.np'. 

Hacked Network Devices 

Shodan search for hacked network devices revealed 3 Ubiquiti Network Devices whose 
hostnames were changed to "HACKED-ROUTER-HELP-SOS-xxx-xxxxx-xxxxx". The 
changed hostname includes the reason how the device was hacked which is represented 
by X in above case. For instance, one device's hostname was changed to "HACKED- 
ROUTER-HELP-SOS-WAS-MFWORM-INFECTED". A quick google search for MFWORM 
reveals that UBNT devices were in fact targeted by this worm and nothing malicious 
happened except changing the hostnames to "HACKED-ROUTER-HELP-SOS-xxx-xxxxx- 
xxxxx". 

There is a community post discussing this issue in ubnt forums. 

https://community.ubnt.com/t5/airMAX-General-Discussion/Device-name-quot- 

HACKED-ROUTER-HELP-SOS-DEFAULT-PASSWORD-quot/td-p/1664028/page/2 

Three devices that we found infected by the MFWORM had following hostnames each for 
different devices. 


273 



■ .accountants.np ■ .bio.np ■ .diamonds.np ■ .name.np 

■ .edu.np ■ .org.np ■ .gov.np ■ .com.np 
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"HACKED-ROUTER-HELP-SOS-HAD-DEFAULT/DUPE-PASSWORD", 

"HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED", 

"HACKED-ROUTER-HELP-SOS-VULN-EDB-39701" 



DEFAULT-PASS 

33% 


Figure 7: Statistics of hacked Network devices 
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Default Credentials in Network Devices 

Wimax Devices 

Wimax (Worldwide Interoperability for Microwave Access) is a family of wireless 
communication standards based on the IEEE 802.16 set of standards, which provides 
multiple physical layer (PHY) and Media Access Control (MAC) options. Nepal Telecom 
provides 4G WiMAX IEEE 802.16e service for broadband internet access. 

https://www.ntc.net.np/pages/view/wimax-broadband-internet 

NT has made different devices available for customers to select from, based on the 
distance from WiMax station and users. NT website has a "How to" for configuring devices 
that they provide for WiMax communication. 

https://www.ntc.net.np/pages/view/wimax-device-configuration 

A quick Shodan search for wimax devices revealed 68 active devices in Nepal. Out of 
which, 48 were down at the time of testing, 13 were found using default credentials and 
7 had their default password changed. 


Password Changed 

10 % 



Connection Error 

71% 

Figure 8: Devices with default credentials 


TP-Link Wireless Devices 

As per TP-LINK, "TP-Link is the world's #1 provider of consumer Wi-Fi networking devices, 
shipping products to over 120 countries and hundreds of millions of customers". A quick 
Shodan search for TP-LINK devices in Nepal revealed 104 devices with web panel on port 
8080 and 44 devices with web panel on port 80. Out of 104 devices running admin panel 
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on port 8080, we found 20 devices with default credentials while 52 devices had changed 
default password, and 28 devices were throwing a communication error. 


Password Changed 

52% 


Connection Error 



20 % 


Figure 9: TP-Link devices with default credentials on port 8080 


Similarly, out of 44 TP-Link devices running admin panel on port 80, we found 6 devices 
using default credentials while 24 devices had changed default password and 14 devices 
threw connection error. 



Figure 10: TP-Link devices with default credentials on port 80 

Below is the graph showing TP-Link devices that belong to top 5 Internet Service Providers 
of Nepal. 
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■ AnrowNet ■ HONS Network iSublsu ■ViaNet ■WorldLlnk 


Figure 11: Top 5 ISPs with TP-Link devices 

Among various TP-Link products, most commonly used product in Nepal was TP-LINK 
WR740N followed by WR841N. Here are the top 5 products that are seen on Nepali 
cyberspace. 

25 


20 



■ WR941N ■WR741ND ■WR941ND ■WR841N ■WR740N 


Figure 12: Top 5 TP-Link Products Categories 
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Password in Banner 

A quick Shodan search revealed 11 devices in Nepal which were announcing passwords 
in their banner, out of which 2 devices were using the same announced password while 5 
devices had changed it. 4 devices were unreachable at the time of testing. 


Default Password 



Password Changed 

45% 

Figure 13: Statistics of devices with password announced in banner 







■ Classic Tech 

■ WorldLink 

■ Nepal Telecom 

■ Classic Support 


Figure 14: Top 5 organizations with password in banner 
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Misconfigured Database Instances 

During our research, we found quite a few misconfigured database instances. These 
instances included databases with no authentications or with default credentials and 
instances that should not be facing the internet but are. All the internet facing Kibana and 
Redis instances that we found had no authentication in place. While all the MongoDB 
instances allowed unauthenticated connections, only 25% of them allowed 
unauthenticated command execution. Among all Elasticsearch instances, only 20% were 
protected with authentication. We also came across MySQL databases that used default 
credentials and were accessible over the Internet. Many Memcached servers which should 
ideally only allow connections from internal hosts were found to be publicly accessible. 



Figure 15: Unauthenticated database instances 


MongoDB 



Figure 16: Unauthenticated MongoDB Command Execution 
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Elasticsearch 




Figure 17: Statistics of open Elasticsearch instances 
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Statistics of Websites in Nepal 

The following test cases were performed to collect website statistics for .np domains: 

1. Check for default welcome page 

2. Check for directory listing 

3. Check for external JavaScript 

4. Check for cryptojacking 

5. Check for "HACKED BY" like titles 

6. Check for existence of '.git' directory 

7. Check for existence of '.svn' directory 

8. Check for 'crossdomain.xml' 

9. Check for exposed 'phpinfo' 

10. Check for apache 'server-status' 

11. Check for WordPress content injection 

12. Check for CORS misconfiguration 

A total of 11785 unique domains were collected using several reconnaissance methods 
along with the help of wordlists we gathered from various sources. Then, along with other 
wordlists, we generated a cartesian product of all possible domain names with .np TLDs. 
This gave us an overly huge list of domain names. Thus, we decided not to process all 
these results but rather to go with top TLDs only. Using massdns, we filtered out domain 
names which didn't resolve. Combined with domain names collected from other sources, 
we ran a test which gave us the following result: 



■ Publicly visible .svn 

■ Publicly exposed server-status 

■ Exploitable crossdomain.xml 

■ Publicly visible .git 

■ Having directory listing enabled on home 


Using JavaScript cryptocurrency miners 

■ Which are presumably hacked 

■ Fetching JavaScript from external hosts 

■ With default welcome page 

■ Exposed phpinfo 


Figure 18: Statistics of Nepali Websites 
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We assume www.example.com and example.com to be different domains. To avoid false 
positives, results were also verified manually. 

Followings are the tests that we carried out for each of the test cases: 

Default Welcome Page 

The best parameter to identify a default page is via title. We gathered 9 set of titles from 
IIS, nginx, JBoss, Bitnami, Ruby on Rails, Tomcat, Apache and GlassFish. This gave us 69 
unique domains with default welcome page, out of which, 90% were using Apache on 
Centos while only 5% were running on Ubuntu. 

“Hacked By” Like Titles 

Since we were already looking for default titles, we expanded our search to look for titles 
that are generally found in hacked or defaced web pages. We went through zone-h 
archive and took note of titles of already defaced pages. The small set of titles we checked 
for revealed 28 unique domains which were, in fact, all hacked and defaced. 

External JavaScript Hosts 

It's not uncommon to find sites referencing JavaScript from external JavaScript hosts, 
mostly when a site has been hacked or compromised. We checked if any of .np domains 
were referencing JavaScript from hosts like Pastebin and other popular hosts. And, to no 
surprise, we found 53 sites referencing JavaScript from sources like yourjavascript.com. 

Using In-Browser Cryptominers 

Though, a large number of .np domains were hacked in 2017, only 9 domains were found 
infected with cryptominers. All these domains were using coinhive directly on their 
homepage and the embedded miner code started mining right upon site visit. 

CORS Misconfiguration 

Cross Origin Resource Sharing (CORS) is a mechanism which allows client-side script 
hosted on one domain(origin) to view content of another domain(origin). CORS when 
improperly configured, allows attacker's site to access private information of logged in 
user from vulnerable application. 6 out of 11785 tested sites had misconfigured CORS. 
This means, if a user logged in to these vulnerable sites visits attacker's site, attacker would 
be able to access private information of user from these sites. 

WordPress Content Injection 

WordPress version 4.7.0 and 4.7.1 enables rest API by default and is vulnerable to 
unauthenticated content injection. This vulnerability was first disclosed by Sucuri Inc on 
February 2017. The vulnerability was fixed on WordPress 4.7.2 which was released on 
January 2017. Almost a year after patched WordPress release, we tested if there are still 
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vulnerable WordPress sites. Out of 11785 sites tested, 4 were vulnerable to WordPress 
content injection allowing any unauthenticated user to modify the content of any post or 
page within a WordPress site. 

Vulnerable ‘crossdomain.xmr 

'crossdomain.xml' is a cross-domain policy file that grants a web client such as Adobe 
Flash Player, Adobe Reader, etc. permission to handle data across multiple domains. Out 
of 11785 domains, only 223 domains did have 'crossdomain.xml' file. Out of these 223 
domains, 28 were allowing interaction from any other domain and were deemed 
vulnerable. 

Publicly exposed ‘.git’ 

The '.git' directory contains version control information to keep track of changes in source 
code. These directories might expose applications to unexpected catastrophes. There 
were 54 domains with publicly accessible .git directory which, in certain circumstances, 
can be leveraged to take full control of the server. 

Publicly exposed ‘.svn’ 

Similar to Git, SVN is another version control system. There were only 3 domains with 
publicly accessible '.svn' directory. This, along with presence of wc.db, allows download of 
source code which, again, poses greater risk. 

Publicly exposed ‘server-status’ 

Apache 'server-status' allows server administrators to find out how well their servers are 
performing. This page exposes server information along with visitors' IP addresses. We 
found 13 domains exposing 'server-status', 6 of which were also disclosing private IP 
addresses. 

Publicly exposed ‘phpinfo’ 

Similar to server-status, 'phpinfo' is a debugging functionality intended to help 
administrators. This discloses complete information about php and its configuration. We 
found 624 domains disclosing 'phpinfo' where 151 were found on info.php, 43 on 
test.php, 75 on pinfo.php and 415 on phpinfo.php. We also extracted version information 
to gain an insight into what versions people are using. The result was quite surprising- 
none of the found servers were running an up-to-date version of php. In fact, 93% i.e. 581 
were using php versions 5.x and rest 43 were using php version 7.x. 

In addition, we also checked how many domains were using SSL. Out of 11785 unique 
domains, only 482 were found to have implemented it. SSL provides confidentiality and 
verifies the authenticity of the data and is a basic security requirement for websites that 
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collect user information or deliver sensitive information. But sadly, even such websites 
were rarely found to have implemented SSL 

Unsafe Use of Version Control Systems 

API key leakage on Git 

With increasing popularity of version control software like Git, use of GitHub among 
Nepali developers has also increased tremendously. However, improper use of GitHub 
may have devastating effect. During our research, we reviewed more than 4.5 million lines 
of code from top GitHub users from Nepal and the end results was shocking. Developers 
were hardcoding API keys on their code and committing it to public repositories. We 
found Flickr API key and Bing API key along with few other password hashes being publicly 
available to anyone. An attacker could automate the process of discovering such API keys 
in public GitHub repositories and compromise victim's data. 
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Private Data Leakage Through Governmental 
Websites 


Number of Voters in 2017 



■ No. of voters' data that can't be 
leaked via facebook 


■ No. of voters’ data prone to be 
leaked via facebook 


Figure 19: Number of voters and Facebook users 


It might come as a surprise that online portals run and maintained by our government 
are leaking our private data to potential attackers. Personal information such as picture, 
citizenship number, phone number, home address, family members' name and so on of 
millions of citizens are publicly exposed. Individuals can access these private data of 
thousands of individuals without any hacking, social engineering or anything else that 
would require any sort of technical skills. 

Election Commission, Nepal holds the database of all the voters who participated in recent 
Elections. The total number of voters according to Election Commission is 14,054,482. 
These voters can go and see their personal details at: 

http://www.election.gov.np/election/np/bbvrs, where the only verification application 
asks before giving out personal details is Date of Birth. According to internet world stats 
(internetworldstats.com), the total number of Facebook users in Nepal is 6,400,000. And, 
most of these Facebook users have their birth dates public on their profile. This leaves 
about 45% of the voters' personal details prone to being exposed. Moreover, we can also 
get date of birth of people just by googling about them, which leaves most of the 
celebrities, media personalities, politicians vulnerable to the data leak. 
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Similarly, Inland Revenue Department, Nepal holds the database of all PAN card holders 
in Nepal. While there isn't exact number on database of total PAN card holders, we can 
easily assume that it is in millions. Inland Revenue Department, provides tax payers with 
an option to search for PAN details using PAN numbers that can be accessed through 
https://web.ird.gov.np/etds/pan_details.php. The problem with above service is that most 
of the PAN numbers are in an incremental order and the captcha that has been 
implemented to stop malicious actors from abusing the service doesn't quite work as 
expected. While it might be a feature that Inland Revenue Department is providing to the 
taxpayers, it can also be used by malicious parties to steal personal details such as name, 
personal phone number, and addresses of taxpayers. 
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Presence of Nepal in DarkNet 

Darknet Drug Market 

A drug trader based in Nepal was found selling drugs in darknet drug market. The dealer 
going by the name JARIBOOTIWALA was selling Opium and Modafinil that was allegedly 
to be shipped from Nepal. 



ESCROW: 


VIEW tmm 


OPIUM (1 GRAM) [1.0 
GRAMS] 

SMPS FROM: ASIA (REGION) 


GENERIC MODAFINIL* 
MODALERT 200 (PACK OF 
10 TABS) [10.0 PILLS) 


SHIPS FROM: NEPAL (ASIA) 


JARIBOOTIWALLA 


JARIBOOTIWALLA 


★ CO) 


♦WWW# (•] 


While only one drug trader was shipping drugs directly from Nepal, various other drug 
traders were allegedly from Nepal. Most of these drugs were Opium, Hash and Charas. 
They were being shipped from various countries worldwide but claimed to be sourced 
from Nepal. 
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search for nepal produced 54 results 


category 

title 

price 

seller 

ship to 

ship from 


Hash 

0.5g Bayer Opium - Premium pure organic black 
Himalayan 

S0.0034 

danhash 100.0 

Worldwide 

Denmark 

add to cart 

Hash 

Ig NEPALI HASH - INDICA [ESCROW ONLY] 

10.0014 

THCKINGS 92.8 

Worldwide 

Denmark 

add to cart 

Weed 

BLUE DREAM X THE BLACK reg 5 seeds 

10 0028 

QualityHydroBuds 20.0 

Worldwide 

Australia 

add to cart 

Weed 

BLACK OG reg 5 seeds *Free Pc-;t' 

10 0028 

QualityHydroBuds 20.0 

Worldwide 

Australia 

add to cart 

Hash 

iOg NEF/w.! HASH - INDICA [FE ONLY] 

10.0076 

THCKINGS 92 8 

Worldwide 

Denmark 

add to cart 

Hash 

2 gr. Black Nepal Hash AAA+ 

10.0019 

candy4you 99.0 

Worldwide 

Germany 

add to cart 

Hash 

20g Premium Pure Organic Black Himalayan 
Charas FREE SHIPPING 

80.0162 

danhash 100.0 

Worldwide 

Denmark 

add to cart 

H^^sh 

3g Premium Pure Organic Black Himalayan 

Charas (Indica) 

10 0038 

danhs«‘=h 100 0 

Worldwide 

Denmark 

add to cart 

Hash 

20 gr. Black Nepal Ha^h AAA+ 

800133 

candy4you 99.0 

Worldwide 

Germany 

add to cart 

Hash 

5 gr Bhck Nepal Hash AAA+ 

80 0041 

candy4you 99.0 

Worldwide 

Germany 

add to cart 

H?-,h 

50 gr Black Nepal H?3h AAA4 

80.0279 

candy4you 99.0 

Worldwide 

Germany 

add to cart 

Hash 

100 gr super Sweet Nepalese Cream Hash 

80.0589 

homeofdrugs 100.0 

Worldwide 

United Kingdom 

add to cart 

Hash 

Ig Nepal Hash. Coffeshop AAA+ Qualy. FE 

80 0017 

TheGermanBudtenderl 100 0 

Worldwide 

Germany 

add to cart 

Hash 

0.2g Premium Pure Organic Black Himalayan 

f-c 

80 0008 

danhash 100.0 

Worldwide 

Denmark 

add to cart 


Child Pornography in Nepal 

It is no secret that Nepal has been a hub for pedophiles for quite sometimes now. Apart 
from predators visiting the country for child exploitation, Nepal has also garnered quite a 
reputation in child pornography forums in darknet, following screenshot shows 
pedophiles' opinions in Nepal. 

Tliere are at least 602 child care homes housing 15,095 children in Nepal [84] ’'Orphanages have turned into a Nepalese industry there is rampant 
abuse and a great need for intervention."[29][85] Many do not require adequate checks of their volunteers, leaving children open to abuse.[34] 

These kinds of opinions regarding orphanages in Nepal makes it a target for pedophiles 
who wholeheartedly believe these claims that are somewhat reflective of the truth. 

Visitors to developing countries can be taken in by orphanage scams, which can include orphanages created for the day[24] or orphanages set up 
as a front to get foreigners to pay school fees of orphanage directors' extended families.[25] Alternatively the children whose upkeep is being funded 
by foreigners may be sent to work, not to school, the exact opposite of what the donor is expecting.[26] The worst even sell children.[27][23][29] In 
Cambodia some are bought from their parents for very little and passed on to westerners who pay a large fee to adopt them.[30] This also happens 
in China.[31] In IBBH . orphanages can be used as a way to remove a child from their parents before placing them for adoption overseas, which is 
equally lucrative to the owners who receive a number of official and unofficial payments and "donations".[32][33] In other countries, such as 
Indonesia, orphanages are run as businesses, which will attract donations and make the owners rich; often the conditions orphans are kept in will 
deliberately be poor to attract more donations.[34] 

These public discussions should encourage us to be more critical of people trying to adopt 
children. While most people adopting a child do so out of love and compassion with no 
ill intent, but if there exists even a slim probability that someone is motivated by ill-will 
and that there is a chance of kids being exploited, then it demands for extreme vigilance. 

Moreover, there were not only discussions regarding Nepal, many child pornography 
materials from Nepal were also being distributed from these sites on the darknet. 
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Furthermore, some Nepali users were also found to be actively distributing contents in 
these forums. 


Viewing profile - 

Username: 

Groups: | Registered users J| Go | 

CONTACT riftr# USER STATISTICS 

Joined: Sat Sep 30, 2017 6:47 pm 
Last visited: Sun Oct 08, 2017 11:10 pm 
Total posts: 32 | Search user's posts | Search user's topics 

The following contents were discovered on various child pornography distribution forums 
from darknet. 

Azov- a River in Nepal 

Dl]yTr*derer» Mon Reb 27. 2017 1:10 sm 

Beautiful insight into the nature of Naples and the naked facts 
612 MB 40:40 min. 

Ttavellerworld part 1/7 travel pictures nudes only and info 

Nepal } (not mine) 

Image 

Folders: Image 

1973 India Nepal Image 

These contents show that Nepal and its children have been a target of pedophiles from 
various countries. This is also apparent from many busts in recent history where foreign 
pedophiles have been brought into custody. 
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Conclusion & Recommendations 

Ensuring a resilient, cyber secure Nepal requires the expertise and collective capabilities 
of the government and industry network owners, operators and end-users. To suppress 
cyberattacks, Nepal must remain vigilant, proactive and resourced to meet the challenges 
of a complex cyber environment. 

Cyber security efforts should aim to make Nepal a harder target and thereby increase the 
trust and confidence of all Nepalese to engage in the benefits the internet brings. Effective 
cyber security requires an alliance between government and the private sector, with 
organizations and their users taking greater responsibility for the security of their 
networks and information. 

We recommend following measures to strengthen the security of any hosts: 

> Change default password and use strong passwords 

> Setup authentication for hosts with sensitive data 

> Patch systems periodically 

> Periodic security testing of applications and hosts 

> Do not publicly expose devices that are only required by local hosts. 

While we encourage developers to learn new technologies, we recommend against their 
blind implementation without any regards for their security. With everything changing so 
fast, it's tempting to move along. However, everything has pros and cons and requires 
careful inspection prior to being implemented. A single line of code, sometimes, might 
have devastating effects. So, to be safe against any undesirable security loopholes, we 
advise developers to pay attention to the following points: 

> Implement basic security practices in all places possible 

> Use the principle of least privilege when it comes to access control 

> Never trust data coming from client 

> Do not put sensitive data in publicly visible areas 
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While administrators and developers have to their part to ensure security of computer 
systems, end users must also practice some safety habits as it's the users who are 
ultimately affected. Therefore, we suggest end users to adhere to the following 
recommendations: 

> Use anti-virus programs 

> Use ad-blockers from trusted vendors (like NoScript for Firefox) 

> Do not trust attachments received in emails 

> Do not download/install/execute programs from unknown vendors and/or sites 

> Turn on automatic updates for programs in use 

If all the respected parties follow these simple guidelines, computer systems will be 
immune to most possible attacks, thus ensuring a secure cyber domain. 
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